Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Similar documents
COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION. A Kill Chain Analysis of the 2013 Target Data Breach

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

I ve been breached! Now what?

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Security Management. Keeping the IT Security Administrator Busy

How a Company s IT Systems Can Be Breached Despite Strict Security Protocols

A practical guide to IT security

MITIGATING LARGE MERCHANT DATA BREACHES

Agenda , Palo Alto Networks. Confidential and Proprietary.

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Franchise Data Compromise Trends and Cardholder. December, 2010

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

F G F O A A N N U A L C O N F E R E N C E

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

INDUSTRY OVERVIEW: RETAIL

Network/Cyber Security

Security & Compliance, Sikich LLP

Data Center security trends

Policy for Protecting Customer Data

Supplier Information Security Addendum for GE Restricted Data

Data Breach Response Planning: Laying the Right Foundation

Network Security Policy

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Security Policy for External Customers

Intro. Tod Ferran, CISSP, QSA. SecurityMetrics. 2 years PCI and HIPAA security consulting, performing entity compliance audits

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Defending Against Data Beaches: Internal Controls for Cybersecurity

INCIDENT RESPONSE CHECKLIST

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

GEARS Cyber-Security Services

Webinar: Creating a Culture of Cybersecurity at Work

Client Security Risk Assessment Questionnaire

KEY STEPS FOLLOWING A DATA BREACH

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

GE Measurement & Control. Cyber Security for NEI 08-09

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Information Security It s Everyone s Responsibility

Software that provides secure access to technology, everywhere.

Data Access Request Service

Data Breaches and Cyber Risks

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

That Point of Sale is a PoS

IBM Security Strategy

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Remote Deposit Quick Start Guide

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Overall, which types of fraud has your organisation experienced in the past year?

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Logging In: Auditing Cybersecurity in an Unsecure World

10 Smart Ideas for. Keeping Data Safe. From Hackers

V ISA SECURITY ALERT 13 November 2015

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Automation Suite for. 201 CMR Compliance

PCI Compliance: Protection Against Data Breaches

13 Ways Through A Firewall

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

Small businesses: What you need to know about cyber security

Security Overview. BlackBerry Corporate Infrastructure

Cybersecurity Health Check At A Glance

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Presented by: Mike Morris and Jim Rumph

Practical Steps To Securing Process Control Networks

How To Manage Security On A Networked Computer System

Cybersecurity: What CFO s Need to Know

2012 Data Breach Investigations Report

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

The Key to Secure Online Financial Transactions

Information Security It s Everyone s Responsibility

IT Security Risks & Trends

Project Title slide Project: PCI. Are You At Risk?

Did you know your security solution can help with PCI compliance too?

Security. Tiffany Trent-Abram VP, Global Product Management. November 6 th, One Connection - A World of Opportunities

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Transcription:

Practice Good Enterprise Security Management Presented by Laurence CHAN, MTR Corporation Limited

About Me Manager Information Security o o o o Policy formulation and governance Incident response Incident investigation Security advisor

Disclaimer The security sharing follows is based on well known security practices in the industry. It has no relations with the security measures in the MTR Corporation Limited.

Assets What aspects of assets are concerned most to an enterprise? Information Confidentiality Integrity Availability Business service availability System service availability

Threats External threats examples Virus attack APT attack DDoS attack Social engineering (e.g. phising, watering hole) Internal threats Intentional data theft Unintentional data leakage/loss

Impacts Assess the impacts of attacks in your environment Commercial deals / tender information Business strategy information Customer data Business system out of service Organization reputation / image Legal / Contractual obligations

What s happening Malware and APT attack On 19 Dec 2013, Target Chief Executive Gregg Steinhafel confirmed that the company's pointof-sale systems had been infected with malware, which led to the theft of 40 million credit and debit card accounts and personally identifiable information for 70 million people. Thieves were able to sell information from these cards via online black market forums.

What s happening Malware and APT attack Those purchasing the information can then create and use counterfeit cards. Fraudsters often use these cards to purchase high-dollar items, and if PIN numbers are available, can extract a victim s money directly from an ATM.

What s happening Malware and APT attack Malware installed on point of sale (POS) enabled the data theft. This malware utilized a RAM scraping attack, which allowed for the collection of unencrypted, plaintext data as it passed through the infected POS machine s memory before transfer to the company s payment processing provider. The malware available on black market cyber crime forums for between USD 1,800 and USD 2,300.

What s happening Malware and APT attack Attackers first installed their malware on a small number of POS terminals between November 15 and November 28, with the majority of Target s POS system infected by November 30. Attackers also installed malware, designed to move stolen data through Target s network and the company s firewall, on a Target server. Attackers updated it twice more, during December 2 and December 3

What s happening Malware and APT attack Target s anti-intrusion software showed warnings that the attackers were installing malware on Target s system. Target appeared to have failed to respond to multiple such warnings. Target also failed to respond to multiple warnings from the anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target s network.

What s happening Malware and APT attack Attackers first gained access to Target s system by stealing credentials from an HVAC and refrigeration company, Fazio Mechanical Services, based in Sharpsburg, Pennsylvania. This company had remote access to Target s network for electronic billing, contract submission, and project management purposes.

What s happening Malware and APT attack At least two months before the Target data breach began, attackers stole Fazio Mechanical s credentials for accessing Target s network via phishing emails infected with malware. How are you managing service providers usnig remote access to your network? How do you manipulate the system warnings?

Policy and Standards ISO/IEC 27001:2013 - Information Security Management System (ISMS) requirements standard ISO/IEC 27002:2013 - Code of practice for information security controls National Institute of Standards and Technology (NIST) OGCIO IT Security Policy and Guidelines More references Develop security policy with respect to your business and operational environment.

Network DMZ Technical Measures Firewall Router Proxy Reverse proxy Email gateway Antivirus Authentication

Network DMZ Technical Measures IDS and IPS Vulnerability and patch management Data loss prevention Controls over remote access

Technical Measures Endpoint device security Antivirus Desktop/personal firewall USB controls Program whitelist Data encryption at storage Vulnerability and Patch management

Technical Measures Controls to data manipulation Password encrypted in storage Customer data encrypted in storage Logical controls on data access Role-based access permissions

Technical Measures Classify your data Data access principles Need to Know Need to Hold Grant access permissions according to the above two principles Access logging Secure printing Secure erasure of data

Technical Measures Contingency Data backup System backup System resilience Backup site Drill of system and data recovery

Technical Measures What s more SIEM Anti-malware solution Real time monitoring of network Two-factor authentications for remote access by third-party vendors Check intrusion detection alerts and respond promptly

Technical Measures What s more Disable guest accounts and change default account password Separate network segments for containment of attacks Separate critical business systems from Internet communications

Manual Controls Supplement to technical measures especially when technical measures are not possible Division of labor and authority Defined procedures of approval to access critical workstations and privilege accounts Physically secure critical workstations and systems

Human Factor Staff awareness Don t disclose password Don t share individual accounts Secure use of USB drive Use USB drive of built-in security Emails Internet browsing Mobile devices Secure data disposal

Incident Response Handling information security incidents Identification security incident vs operation incident Escalation Containment Limit affected scope Protect critical systems and data Mitigation Patch loophole, remove malware, change passwords, etc.

Incident Response Handling information security incidents Recovery of system service and data Aftermath Post-incident analysis Improve security measures Improve incident response procedures and communications Incident Report You are not alone: OGCIO and HK Police

Summary Technology is changing Tactics of cyber attacks are changing Keep abreast of new technology, new attacks, and assess how they may impact your assets

Q & A

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information